Ben Langhofer, a financial planner and single father of three in Wichita, Kansas, decided to start a side business. He had made a manual for his family, setting out core values, a mission statement and a constitution. He wanted to help other families put their beliefs into a real book, one they could hold and display.
So Langhofer hired web developers about two years ago and set up a website, customer relationship management system, and payment processing. On Father’s Day, he launched MyFamilyHandbook.com. He has had modest success and has spoken with larger groups of bulk orders, but business has been pretty quiet so far.
That’s how Langhofer knew something was wrong on Friday, August 11, when a woman from California called about a fraudulent charge. He checked his merchant account and saw almost 800 transactions.
“My heart sank,” Langhofer told Ars on Thursday. He immediately contacted his payment provider Stripe, who he said told him about card testing, a system in which online card thieves use a tiny fee from an account to test valid cards. Stripe said it would issue a bulk refund, Langhofer said. Knowing that his payment processor was aware of the problem, he spent his weekend.
Langhofer woke up early Monday morning to a flurry of missed calls.
He said his site attempted nearly 11,000 additional transactions, each for $1, most of them initiated by email addresses that were vastly different from each other. Many of them involved Ally Bank cards, Langhofer said. He had only received two phone calls to the forwarded number listed in his online store, but now his phone kept ringing.
“My dad always taught me to have a good name, so it hurts,” he said. “I don’t have a big staff, but I have a big name in Wichita, in this state. Now my business is tied to this, and I have no idea what’s next.” In text messages ahead of an Ars Technica interview, Langhofer said the ordeal “consumed my whole week and caused more panic than I remember having had in a long time.”
For sale: debit cards, very little used
Langhofer’s business appears to be the victim of a chain of frauds that has affected thousands of debit card customers over the past week. The most important of these are Ally Bank customers, who have been Tweeter and posting charges on cards, some of which have never been activated or used, to the r/AllyBank subreddit. They have reported (and Ars Technica has seen) phone support wait times of up to an hour or more.
There is an overwhelming feeling that something is up, but for days the major parties had yet to confirm anything.
(Update 4:56 p.m.: A spokesperson for Ally Bank said in a statement: “Overall, the financial services industry is seeing an increase in debit card fraud activity caused by bad actors.” The statement noted that unauthorized transactions reported within 60 days of a report will result in a new card and refunded fees.
The statement adds: “Call centers are experiencing longer than usual wait times due to nationwide staffing issues, combined with increased call volumes. This is not not unique to Ally.”)
Two of those wondering what’s going on are Stephen Fuchs and Curt Grimes, a Chicago-area couple who spoke with Ars Technica and shared their documentation. They opened their joint Ally checking account in March 2022. The two had linked debit cards, each with different numbers. Fuchs never activated his card. Until last week, Grimes had only used his card once, to send someone around $5 via Apple Cash.
On August 10, a $15 charge from an original software site appeared on one of their cards, but it went unnoticed. On Friday, August 12, Grimes received a text fraud alert from Ally, warning him of charges from two different Shopify stores for nearly $200. Grimes reported the charges as fraudulent, and Ally (and Apple Pay) reported that the card had been suspended. After spending nearly an hour waiting for Ally on the phone on Saturday, August 13, Grimes disputed the earlier $15 charge and saw in his Ally app that a new card, with a new number, was on the way.